Facebook Removes Accounts That Spread Malware to Thousands of People

Researchers have discovered the Facebook account network, which uses Libyan themes and information to spread malware to tens of thousands of people over a five-year period.

Links to Android and Windows-based malware caught the attention of the researcher when they found them in a Facebook post proposed as Marshal Khalifa Haftar, commander of the Libyan National Army. The false account, created in early April and with more than 11,000 subscribers, was supposed to publish documents showing countries such as Qatar and Turkey conspiring against Libya, as well as photos of captured pilots trying to bomb Tripoli. Another post promised to offer a mobile application allowing Libyans to join the country’s armed forces.

The post according to the security company Check Point, most links point to VBScripts, Windows script files and Android applications deemed dangerous. The products include a variant of the open source remote administration tools named Houdina, Remcos and SpyNote. Most of the tools are stored in file hosting services such as Google Drive, Dropbox and Box.

The false Haftar publication is interrupted by typos, spelling mistakes and grammatical errors. Spelling errors, in particular, provide Check Point researchers with a high degree of certainty that the content will be created by Arabic-speaking people, because translation engines that convert text from another language cannot generate quality language.

Official Libya – 51,000

Libya my people – 110.4k

Crimes in Libya – 63.9k

Emad-al-Trabilsi official page – 139.5k

Dignity Urgent – 61.7k

It’s just the beginning

When looking for other sources that have made the same mistakes, the researchers found that more than 30 Facebook pages, some of which were active since 2014, broadcasting the same malicious links. The five most popular sites were followed by more than 422,000 Facebook accounts, as shown in the following chart:

The attacker used URL truncation services to generate links. In this way, Check Point researchers were able to determine how many times a given link was clicked and from which geographic area. Most links have had thousands of clicks, mostly from the moment the links were created and shared. The data also shows that Facebook pages were the most common source of links, indicating how they made use of social media as the medium for the campaign. In the meantime, most of the clicks came from Libya, although some affected machines were also in Europe, in the United States, and Canada.

Almost all malware tested during the five years were related to control servers and control drpc.duckdns [.] Org and libya-10 [.] Com [.] Ly. A search in Whois revealed that this last domain was registered for someone using the email address drpc1070@gmail.com. The same email address was used to register other domains, including dexter-ly.space and dexter-ly.com.

The name “Dexter Ly” led the researchers to another Facebook account. The new report repeats the same typographical errors than those found on previous pages, leading the researchers to assess with confidence that all the pages are the work of the same person or the same group. The newly discovered account also openly shared the details of the malicious campaign, including screenshots of areas where infected devices were managed.

Monday’s post revealed that Facebook had removed the pages and accounts after the Check Point investigators reported the campaign in private.

“These Pages and accounts violated our policies and we took them down after Check Point reported them to us,” Facebook officials said in a statement. We are continuing to invest heavily in technology to keep malicious activity off Facebook, and we encourage people to remain vigilant about clicking on suspicious links or downloading untrusted software.”

The statement does not explain why Facebook was not able to see the campaign itself.

“Although the set of tools which the attacker utilized is not advanced nor impressive per se, the use of tailored content, legitimate websites and highly active pages with many followers made it much easier to potentially infect thousands of victims,” the researchers wrote. “The sensitive material shared in the ‘Dexter Ly’ profile implies that the attacker has managed to infect high profile officials as well.”

Although the campaign was interrupted, its determination clearly shows how effective operations can be with modest resources.

Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc.
Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.

HackerCombat LLC is a news site, which acts as a source of information for IT security professionals across the world. We have lived it for more than 1 year since 2017, sharing IT expert guidance and insight, in-depth analysis, and news. We also educate people with product reviews in various content forms.

As a dedicated cybersecurity news platform, HC has been catering unbiased information to security professionals, on the countless security challenges that they come across every day. We publish data on comprehensive analysis, updates on cutting-edge technologies and features with contributions from thought leaders. Hackercombat LLC also has a section extensively for product reviews and forums.

We are continuously working in the direction to better the platform, and continue to contribute to their longevity and success.